Open fviernau opened 1 month ago
There is parties interested in having this, I'll potentially work on this soon.
Ping @porsche-rishisaxena and @porsche-rbieniek as you might be interested in this work. We should talk about our respective experiences here, esp. having @porsche-rbieniek's "client layer" work in mind that has been mentioned here.
@sschuberth: we already have Blackduck as vulnerability provider integrated with "Advisor Stage" in our Porsche Version where we transform the analyzer-result.yml into bdio format of Blackduck to look-up for the dependency and version. If found, we get the vulnerability information as per CVSS 3.x standard. This solution is LIVE since 3 months now in Porsche Eco-System.
This solution is LIVE since 3 months now in Porsche Eco-System.
Thanks for sharing this achievement! This could be of interest to a client that @fviernau is working for, I believe. I'm trying to bring together the community here in order to exchange knowledge / experience and not reinvent the wheel.
Black Duck amongst others is a data source for security vulnerabilities. Goal of this ticket is to make that data source available by integrating Black Duck as a so called advisor into ORT.
Out of scope: Any other capability Black Duck has besides the security vulnerabilities, such a scanning, e.g. for code snippets.
There is no public Black Duck instance, and the REST API docs seem to be available only via the actual instance, see also 1.